cert-manager automates TLS certificate management in Kubernetes. It issues certificates from Let's Encrypt, HashiCorp Vault, Venafi, and self-signed CAs — then auto-renews them before they expire.
Free, open source, CNCF graduated. The standard way to handle TLS in Kubernetes.
Why Use cert-manager?
- Automatic issuance — request a cert, cert-manager handles the rest
- Auto-renewal — certificates renew before expiry
- Let's Encrypt — free TLS certs, auto-validated
- Multiple issuers — Let's Encrypt, Vault, Venafi, AWS PCA, self-signed
- Ingress integration — auto-provisions certs for Ingress resources
Quick Setup
1. Install
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--set crds.enabled=true
2. Create Let's Encrypt Issuer
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: spinov001@gmail.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
3. Request a Certificate
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-app-tls
spec:
secretName: my-app-tls-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- myapp.example.com
- api.example.com
EOF
# Check status
kubectl get certificates
kubectl describe certificate my-app-tls
kubectl get certificaterequests
4. Auto-TLS with Ingress
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts: [myapp.example.com]
secretName: my-app-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port: {number: 80}
EOF
5. Check Certificate Status
# All certificates
kubectl get certificates -A -o json | jq '.items[] | {name: .metadata.name, ready: (.status.conditions[] | select(.type=="Ready") | .status), notAfter: .status.notAfter}'
# Certificate requests
kubectl get certificaterequests -A
# Orders (ACME)
kubectl get orders -A
# Challenges (ACME validation)
kubectl get challenges -A
Python Example
from kubernetes import client, config
config.load_kube_config()
api = client.CustomObjectsApi()
# List all certificates
certs = api.list_cluster_custom_object(
group="cert-manager.io", version="v1", plural="certificates")
for c in certs["items"]:
name = c["metadata"]["name"]
ns = c["metadata"]["namespace"]
ready = any(cond["type"]=="Ready" and cond["status"]=="True"
for cond in c.get("status",{}).get("conditions",[]))
expiry = c.get("status",{}).get("notAfter","unknown")
print(f"Cert: {ns}/{name} | Ready: {ready} | Expires: {expiry}")
Key Resources
| Resource | Description |
|---|---|
| Certificate | Certificate request |
| CertificateRequest | Low-level cert request |
| Issuer/ClusterIssuer | Certificate authority config |
| Order | ACME order tracking |
| Challenge | ACME validation challenge |
Need custom data extraction or scraping solution? I build production-grade scrapers for any website. Email: Spinov001@gmail.com | My Apify Actors
Top comments (0)